Blogpost

Why Security Pros Need to Prepare Now

Have you ever heard of the Cullinan diamond? If you haven’t, it was the largest diamond ever discovered: a 3106 carat diamond found in 1905 in South Africa. What’s interesting about the Cullinan diamond (at least to me) isn’t so much the discovery of the stone itself but what happened afterward: specifically, the cutting of the diamond.

The Cullinan diamond was split into a number of smaller pieces — nine large pieces and dozens of smaller ones — by Joseph Asscher, a noted diamond cutter of the time. The story goes that the cutting of the diamond required six months of preparation and study, and that the first attempt actually caused the blade he was using to shatter. After more preparation, he attempted a second strike and sealed the deal, actually fainting with exhaustion and stress once the deed was accomplished.

The reason I’m bringing this up is that it’s a pretty good metaphor for what can sometimes happen in security: Diamond is one of the hardest materials on Earth, right? Yet if hit in exactly the right place with the right amount of force, it will splinter, like so much glass. Understanding ahead of time not only that it will splinter but exactly where and how is not only possible — it’s a necessary part of the diamond-cutting process. It’s arguably the primary skill that separates a skilled diamond cutter from an unskilled one.

Security programs are very similar in some respects. There are weak areas that any security program will have — this is true universally, even though the specifics vary from program to program and company to company. Like a diamond cutter, our ability to do our job well rests in part on understanding where those weak spots are, and being alert for the specific situations that will press against them.

This is one reason why it’s so important for security pros to pay attention to the Internet of Things. IoT represents an area of pressure — and the adoption dynamics are such that they may apply that pressure directly against a known weak point in many security programs. Understanding why this is the case — and preparing for it now — can make quite a bit of difference down the road.